By Ryan Squires Posted May 8, 2019
There are a number of excellent wireless access point (WAP) manufacturers on the market today. One of the leading brands in this space is Ruckus; competitors in this market also include Meraki and Aruba. Brand names aside, many of JumpCloud ® ’s customers use Ruckus WAPs alongside their cloud RADIUS service. In this article, we will discuss VLAN steering with Ruckus and how it benefits you and your organization.
Many IT organizations are looking to step-up their network security and have already done so by leveraging JumpCloud’s RADIUS-as-a-Service platform. Simply put, the cloud RADIUS service authenticates users individually to the WiFi network with their core identities (aka the ones they use to access their system), which could be the same as those in G Suite™ or Office 365™. This approach to network security is a significant improvement over a shared SSID and passphrase.
Network Segmentation and VLAN Steering
The next step in the network security strategy many are taking is to dynamically place users in separate virtual local area networks (VLANs). Wireless access point manufacturers such as Ruckus provide the ability to segment the network into different VLANs. This segmentation essentially works to create independent networks all within individual LAN. Further, manufacturers enable those VLANs to be tagged. So, users can be dynamically assigned to the proper tags (network segments) when they authenticate via the RADIUS protocol. The benefit of this approach is to increase security and control by limiting what users can see / access on the network. Ideally, users only have access to what they need and nothing more to limit the scope of their access. Overall, it’s a reduction in the attack surface of a network, for if one segment were compromised, the entire network would not be at risk.
Integration Work and Considerations
This all sounds great in theory, but what about in practice? While Ruckus and other network gear manufacturers continue to make it easier and easier to create VLANs, the overhead of integrating FreeRADIUS and the identity provider (generally an OpenLDAP™ or Microsoft ® Active Directory ® implementation) can be a deterrent to this capability, and ultimately, your network security. In addition, it is important to note that the integration between the identity provider and FreeRADIUS solution is not the only integration you would have to configure. You must also consider the WAP (of course) and you need to ensure that each endpoint is running the same version of the RADIUS protocol and supplicant. It is a great deal of work.
VLAN Steering with Ruckus
Thankfully, a new feature for VLAN steering with Ruckus is available via a modern cloud identity management solution. Called Directory-as-a-Service ® , one key feature of this comprehensive cloud directory is the ability to leverage RADIUS and VLAN tagging without all the heavy lifting of standing up a RADIUS server and integrating it to work with all the other components on your network. Case in point, Directory-as-a-Service has the identity provider built in, which eliminates a major integration point. Further, there are no supplicants to install and no checking to make sure each system is running the right version of the protocol. Just install the lightweight JumpCloud agent on each of the users’ machines (a process that can be automated) that need to be managed, point the WAPs at the RADIUS-as-a-Service, and decide which users and / or groups are on each VLAN.
Ready to Try Directory-as-a-Service for Yourself?
If VLAN steering with Ruckus and JumpCloud sounds like just the combination to boost your network security, you can evaluate Directory-as-a-Service and find out for yourself today. When you sign up for a JumpCloud account you get instant access to the full-featured version of the product. 10 free users are included as well, and they always will be. If you need implementation information, navigate over to our Knowledge Base or drop us a line, and we can help you get the most out of your account.